Sonarqube version : sonarqube-10.4.1.88267 / Developer Edition
Sonarqube analysis is not picking up Secrets quality profile though there are secrets in the scanned code.
The quality profile is assigned to all our projects but still shows usage as Never.
This is indeed confusing. The profile is displayed as “used never,” while I believe if you check your logs, you will find TextAndSecretsSensor executed.
It’s a known limitation, as “Secrets” is not an actual language, and all files in the project are actually analyzed. As technically no file has “Secrets” language, corresponding profile is not marked as used.
Thanks for the feedback; we will see how we can improve this.
Hi, I was wondering if a solution was found regarding this issue ?
The same problem occurs on the Enterprise Edition v10.5.1 of the product.
In the meantime, is there a way to add this profile automatically over all projects in addition to any profile discovered by the tool (bulk add profile function maybe) ?
Hello Colin, thank you for your swift reply !
After running some scans with data that must have been reported up by the tool, I am certain that the QP Secrets isn’t taken into consideration during a code analysis by default.
Unless I manually add that QP in the project settings, no vulnerabilities regarding the use of confidential information (such as credentials, tokens or AWS keys for example) are reported.
Furthermore, even when I added that QP to the project, ran a scan and got a report informing me about the usage of confidential information, the message “Never” still appears under the “Used” property.